Earlier in July, A major security flaw in some Android devices would only require the attacker to have your cell phone number, according to security research firm Zimperium.

The flaw involves a remote code execution that could be initiated by sending the target Android smartphone user a text message. The vulnerability, which targets a media playback system called Stagefright.

The frightening name of the exploit is actually derived from the media playback engine (the focus of the exploit) at the native level of Android, which is called “Stagefright.

“Attackers only need your mobile number,” Zimperium’s security report said on Monday. “Using [that] they can remotely execute code via a specially crafted media file delivered via MMS.”

Even more troubling, the firm says that the message could be deleted before the user even gets to read it — with nothing but a notification appearing on the handset.

“Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a Trojaned phone,” the report warns.

The firm claims that Android devices using versions prior to the Jelly Bean release — Froyo, Gingerbread and Ice Cream Sandwich, which together are currently used by an estimated 11% of Android users — are at the most risk.

Zimperium screenshot

The Stagefright Detector App, the app will scan your phone and tell you whether it’s vulnerable or if you need to update your mobile OS. It’s available on Google Play for free.

In July, A bug in Android’s media playback system called Stagefright as mentioned above, which only needed to send a specially crafted text message to the victim’s phone in order to remotely execute code, left nearly a billion devices vulnerable to hackers.

Even though Google promptly issued a patch for that particular vulnerability, the security research company that found the original bug, Zimperium, has now found two new vulnerabilities in Stagefright, enabling hackers to take over an Android device by sending the victim a specially crafted multimedia file.

The new exploits are based on the way Android handles MP3 audio and MP4 video files. One vulnerability, in the libutils library, impacts “almost every Android device since version 1.0,” according to Zimperium, but devices are only at risk if a third party app or a vendor-installed app is using the vulnerable function. The other, in libstagefright library, can be used to trigger the first one in newer devices, running Android 5.0 and up.

“All Android devices without the yet-to-be-released patch contain this latent issue.”

“All Android devices without the yet-to-be-released patch contain this latent issue.”

In practice, this means an attacker can remotely execute code on a victim’s device by sending them a malicious MP3 or MP4 file.

Unlike the original Stagefright exploit, which required sending a text message, an attacker is now more likely to try and lure the victim onto a web site, which contains the malicious multimedia file. The bad part is that the victim doesn’t even have to open the file.

“The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue,” Zimperium wrote in a blog post.

Though Google has acknowledged the issue, a patch is still not available. Worse, even after Google releases it, it might take some time for Android phone manufacturers to implement it, as it did with the original Stagefright bug.

The best course of action for users right now is to avoid opening multimedia files and links from unknown sources.

Advertisements